The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency’s request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Note that the MBTA suit is still alive, even though at least one judge apparently understands it to be a weak case. I hope that if it isn’t dropped, the expense involved comes up in the looming fare increase debate…

What happens next? There’s still a lawsuit from the MBTA, right?
Probably the next thing is, hopefully at this point we’ll be able to settle this and make it go away. If not, we’re going to have to file a motion to dismiss the case, but I think, and I definitely hope, that things are kind of over now. We didn’t give the talk, which was I think a primary aim that they had. That was effective on their part.

The vendor should have disclosed the issue to their customers back in July.

The MBTA could have called the vendor when the issue was disclosed to them, and asked “What’s the story here?”.

Or they could have done 30 seconds of research with any search engine, to discover this was a known problem. When I looked earlier:

“subway card hack” @ google = 93k hits,
“subway card hack -mit” still leaves 64k chances to suck less. (I’ll grant these are sloppy statistics, but even if it was only 1,000 hits, surely a clue could have been found?)

I think it’s sad that Boston keeps arresting and hassling MIT students for being clever or interesting, while no one seems to be asking why the responsible adults aren’t being careful with our money and infrastructure.

My vote: Fire the security architect and CIO. Sue the vendor. Apologize to the students.